Annotation of embedaddon/php/ext/openssl/README, revision 1.1.1.1

1.1       misho       1: OpenSSL extension for PHP
                      2: 
                      3: $Id: README 242949 2007-09-26 15:44:16Z cvs2svn $
                      4: 
                      5: The functions implemented so far make it possible to seal and open data, and
                      6: also create and verify signatures.
                      7: 
                      8: NEW: support for S/MIME encrypt/decrypt/sign/verify, as well as more
                      9: flexibility for specifying certificates/keys.
                     10: 
                     11: To enable the extension, configure PHP with --with-openssl.
                     12: 
                     13: Specifying keys/certificates
                     14: ----------------------------
                     15: 
                     16: Most of the functions require a key or a certificate as a parameter; to make
                     17: things easy for you to use openssl, this extension allows you
                     18: to specify certificates in the following way:
                     19: 
                     20: 1. As an X.509 resource returned from openssl_x509_read
                     21: 2. As a string in the format file://filename, where filename is the path to the
                     22:    certificate file (it will be opened and read automatically)
                     23: 3. As a string containing the data from the certificate file
                     24: 
                     25: Similarly, you can use the following methods of specifying a public key:
                     26: 
                     27: 1. As a key resource returned from openssl_get_publickey
                     28: 2. An X509 resource - public key only
                     29: 3. As a string in the format file://filename
                     30: 4. As a string containing the data from the key file
                     31: 
                     32: Additionally, for a private key, when the openssl extension function does not
                     33: allow you to enter the passphrase as a parameter you may use the syntax
                     34: array($key, "passphrase") where $key can be a key specified using one of the
                     35: methods listed above.
                     36: 
                     37: Certificate Verification
                     38: ------------------------
                     39: When calling a function that will verify a signature/certificate, the cainfo
                     40: parameter is an array containing file and directory names that specifiy the
                     41: locations of trusted CA files.  If a directory is specified, then it must be a
                     42: correctly hashed directory.
                     43: 
                     44: Misc:
                     45: -----
                     46: 
                     47: mixed openssl_error_string()
                     48: 
                     49: returns the message from the last error that the OpenSSL library encountered
                     50: and moves it's internal error pointer to the next message.  If there are no
                     51: more error messages, returns false.
                     52: 
                     53: General Key/Cert Functions:
                     54: ---------------------------
                     55: 
                     56: resource openssl_get_privatekey(mixed key [, string passphrase])
                     57: 
                     58: Parses the key data and returns a key resource identifier. If the key is
                     59: encrypted a passphrase is needed. This can be supplied as second argument.
                     60: 
                     61: 
                     62: resource openssl_get_publickey(mixed cert)
                     63: 
                     64: Extracts the public key from the given certificate or public key and returns
                     65: a key resource identifier.
                     66: 
                     67: 
                     68: void openssl_free_key(resource key)
                     69: 
                     70: Frees the resource given by the key resource identifier.
                     71: Note that this function does not accept the extended key specification
                     72: syntax mentioned above, as it doesn't make sense in this case!
                     73: 
                     74: array openssl_x509_parse(mixed x509[, bool shortnames=true])
                     75: 
                     76: Parses the certificate data and returns an array containing information
                     77: about the certificate, it's intended purposes, subject, issuer, validity
                     78: etc. etc.  If shortnames is true (the default) then the fields will be
                     79: keyed by the shortname forms eg: CN as opposed to commonName (shortnames
                     80: = false).
                     81: 
                     82: 
                     83: bool openssl_x509_checkpurpose(mixed x509cert, int purpose,
                     84:        array cainfo[, string untrustedfile])
                     85: 
                     86: Verifies if the certificate can be used for a specific purpose.
                     87: Purpose can be one of the following values:
                     88:        X509_PURPOSE_SSL_CLIENT
                     89:        X509_PURPOSE_SSL_SERVER
                     90:        X509_PURPOSE_NS_SSL_SERVER
                     91:        X509_PURPOSE_SMIME_SIGN
                     92:        X509_PURPOSE_SMIME_ENCRYPT
                     93:        X509_PURPOSE_CRL_SIGN
                     94:        X509_PURPOSE_ANY
                     95: 
                     96: cainfo is an array of CA information (as mentioned above).
                     97: untrusted file specifies a file containing a bunch of certs that
                     98: are not trusted but may be useful in validating the certificate.
                     99: 
                    100: 
                    101: resource openssl_read_x509(mixed cert)
                    102: 
                    103: Parses the cert and returns a resource that can be used with the
                    104: other openssl functions
                    105: 
                    106: 
                    107: void openssl_free_x509(resource x509)
                    108: 
                    109: Frees the resource given by the x509 resource identifier.
                    110: Note that this function does not accept the extended cert specification
                    111: syntax mentioned above, as it doesn't make sense in this case!
                    112: 
                    113: 
                    114: PKCS7 (S/MIME) Sign/Verify/Encrypt/Decrypt Functions:
                    115: -----------------------------------------------------
                    116: 
                    117: These functions allow you to manipulate S/MIME messages!
                    118: 
                    119: They are based on apps/smime.c from the openssl dist, so for information,
                    120: see the documentation for openssl.
                    121: 
                    122: You may pass in some flags that affect how these functions work using
                    123: and array containing the following values:
                    124: "detached", "nodetached", "text", "nointern", "noverify", "nochain",
                    125: "nocerts", "noattr", "binary", "nosigs".
                    126: The options correspond to the options of the same name for the
                    127: "openssl smime" command (smime(1)).
                    128: 
                    129: 
                    130: bool openssl_pkcs7_verify(string filename, array flags[, string signerscerts][,
                    131:                array cainfo])
                    132: 
                    133: Verifies that the signature on the MIME message contained in the file
                    134: named by filename is valid.  If signerscerts is passed in, it holds the
                    135: name of a file into which the certificates of those that signed the
                    136: message will be stored.
                    137: cainfo and flags are CA information and flag information as described
                    138: above.
                    139: 
                    140: 
                    141: bool openssl_pkcs7_encrypt(string infile, string outfile, array recipcerts,
                    142:                array headers[, array flags])
                    143: 
                    144: Encrypts the MIME message contained in the file named by infile using
                    145: the certificates held in recipcerts.  The result is place in the file
                    146: named outfile.
                    147: recipcerts is an array of certificate identifiers representing the certs
                    148: of the intended recipients of the message.
                    149: headers is an array of headers to prepend to the message: they will
                    150: not be included in the encoded section.
                    151: flags is flag information as described above.
                    152: Hint: you will want to put "To", "From", and "Subject" headers in headers.
                    153: Headers can be either an assoc array keyed by header named, or can be
                    154: and indexed array containing a single header line per value.
                    155: The message will be encoded using a RC2-40 bit cipher.
                    156: TODO: allow user to specify cipher.
                    157: 
                    158: bool openssl_pkcs7_sign(string infile, string outfile, mixed signcert, mixed
                    159:                signkey, array headers[, array flags][, string extracertsfilename])
                    160: 
                    161: Signs the MIME message contained in the file named by infile using the
                    162: certificate and key pair identified by signcert/signkey.
                    163: Signkey must be the private key corresponding to signcert.
                    164: The result is placed in the file named by outfile.
                    165: Headers and flags have the same effects as mentioned above.
                    166: extracertsfilename names a file containing a bunch of additional certificates
                    167: to include in the signature, in order to aid the recipient in verifying the
                    168: message.
                    169: 
                    170: 
                    171: bool openssl_pkcs7_decrypt(string infilename, string outfilename, mixed
                    172:                recipcert, mixed recipkey)
                    173: 
                    174: Decrypts the MIME message contained in the file named by infilename
                    175: using the certificate and private key pair recipcert/recipkey.
                    176: The descrypted result is placed in outfilename.
                    177: TODO: add flags parameter, if needed?
                    178: 
                    179: 
                    180: EVP Sign/Verify/Encrypt/Decrypt Functions:
                    181: ------------------------------------------
                    182: 
                    183: bool openssl_sign(string data, &string signature, mixed key)
                    184: 
                    185: Uses key to create signature for data, returns true on success and false
                    186: on failure. signature is passed by reference and contains the newly created
                    187: signature on success.
                    188: 
                    189: 
                    190: int openssl_verify(string data, string signature, mixed key)
                    191: 
                    192: Uses key to verify that the signature is correct for the given data.
                    193: Returns 1 if correct, 0 if incorrect, and -1 on error.
                    194: 
                    195: 
                    196: int openssl_seal(string data, &string sealdata, &array ekeys, array pubkeys)
                    197: 
                    198: Encrypts data using pubkeys, so that only owners of the respective private
                    199: keys and ekeys can decrypt and read the data. Returns the length of the
                    200: sealed data on success, else false. On success, sealdata and ekeys hold
                    201: the sealed data and envelope keys.
                    202: 
                    203: 
                    204: bool openssl_open(string data, &string opendata, string ekey, int privkey)
                    205: 
                    206: Opens (decrypts) sealed data using a private key and the corresponding
                    207: envelope key. Returns true on success and false on failure.  On success,
                    208: opendata will hold the descypted data.
                    209: 
                    210: 
                    211: See below for more details on usage. Also feel free to mail me at
                    212: venaas@php.net if you have questions. The OpenSSL documentation,
                    213: especially the EVP documentation at
                    214: http://www.openssl.org/docs/crypto/evp.html, might also be of help.
                    215: 
                    216: 
                    217: HOWTO:
                    218: 
                    219: To do anything you need a private key and a certificate containing the
                    220: corresponding public key. This is similar to what you have using say an
                    221: Apache webserver with OpenSSL. For testing you could try keys that come
                    222: with OpenSSL, that's what the sample scripts below do. You can also get
                    223: keys from some CA, or you can create them yourself.
                    224: 
                    225: 
                    226: Creating private key
                    227: 
                    228: To generate an unprotected 1024 bit RSA private key you can do
                    229: 
                    230:    openssl genrsa -out /tmp/test.key 1024
                    231: 
                    232: Private keys should be protected by a passphrase though.
                    233: 
                    234: 
                    235: Creating a self signed certificate
                    236: 
                    237: To generate a self signed certificate from the key that is valid for
                    238: 365 days, do
                    239: 
                    240:     openssl req -new -key /tmp/test.key -out /tmp/test.crt -days 365 -x509
                    241: 
                    242: 
                    243: Example usage
                    244: 
                    245: These examples use keys that come with OpenSSL, you should perhaps test with
                    246: those first.
                    247: 
                    248: 
                    249: Seal and open
                    250: 
                    251:      <?php
                    252:      $data = "Follow the white rabbit";
                    253: 
                    254:      // Get certificate into a string
                    255:      // this file comes with OpenSSL 0.9.6
                    256:      $fp = fopen("/src/openssl-0.9.6/demos/maurice/cert.pem", "r");
                    257:      $cert = fread($fp, 8192);
                    258:      fclose($fp);
                    259:      // get public key from certificate
                    260:      $pk1 = openssl_get_publickey($cert);
                    261:      // $pk1 is an encryption key resource id if success, else false
                    262:      // Repeat if want public keys for multiple parties
                    263: 
                    264:      $fp = fopen("/src/openssl-0.9.6/demos/sign/cert.pem", "r");
                    265:      $cert = fread($fp, 8192);
                    266:      fclose($fp);
                    267:      $pk2 = openssl_get_publickey($cert);
                    268: 
                    269:      // seal data, only owners of $pk1 and $pk2 can decrypt $sealed with keys
                    270:      // $ekeys[0] and $ekeys[1] respectively.
                    271:      openssl_seal($data, $sealed, $ekeys, array($pk1,$pk2));
                    272:      openssl_free_key($pk1);
                    273:      openssl_free_key($pk2);
                    274: 
                    275:      // now we try to decrypt data for one of the recipients
                    276:      $fp = fopen("/src/openssl-0.9.6/demos/sign/key.pem", "r");
                    277:      // Get PEM coded key into $pkey 
                    278:      $pkey = fread($fp, 8192);
                    279:      fclose($fp);
                    280:      // $key will be resource id for unpacked $pkey
                    281:      $key = openssl_get_privatekey($pkey);
                    282: 
                    283:      openssl_open($sealed, $open, $ekeys[1], $key);
                    284:      openssl_free_key($key);
                    285:      echo "$open\n";
                    286:      ?>
                    287: 
                    288: 
                    289: Sign and verify
                    290: 
                    291:      <?php
                    292:      $data = "Follow the white rabbit";
                    293: 
                    294:      // First we need to have a string containing the private key in PEM format
                    295:      // this file comes with OpenSSL 0.9.6
                    296:      $fp = fopen("/src/openssl-0.9.6/demos/sign/key.pem", "r");
                    297:      $pkey = fread($fp, 8192);
                    298:      fclose($fp);
                    299: 
                    300:      // get private key from the PEM format
                    301:      // $key is an encr key resource id if success, else false
                    302:      $key = openssl_get_privatekey($pkey);
                    303: 
                    304:      // calculate signature
                    305:      openssl_sign($data, $signature, $key);
                    306:      openssl_free_key($key);
                    307: 
                    308:      // recipient verifies signature
                    309:      // read certificate
                    310:      $fp = fopen("/src/openssl-0.9.6/demos/sign/cert.pem", "r");
                    311:      $cert = fread($fp, 8192);
                    312:      fclose($fp);
                    313: 
                    314:      // Get public key from the certificate
                    315:      $pubkey = openssl_get_publickey($cert);
                    316: 
                    317:      // state whether signature is okay or not
                    318:      echo openssl_verify($data, $signature, $pubkey) == 1 ? "ok\n" : "bad\n";
                    319: 
                    320:      // free key
                    321:      openssl_free_key($pubkey);
                    322:      ?>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>